-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shim 15.8 for TeraByte #369
Comments
Just waiting patiently, while customers disable secure boot on their systems. FWIW, the latest Gpg4win outlook plugin no longer crashes outlook so it's in place and also added the corp email to the newer openpgp key servers rather than our really old ones on the MIT server. |
Reviewing.
It will be required to receive the signed binary. The latest comment says:
I found one that sounds just like this:
Is this one the correct one? Should I look elsewhere for another one?
I don't understand how the answer relates to the question - however, I can manually check the package mentioned in the question above that one, that is
But I can see you did have a signed shim binary once here. So why is it N/A?
An earlier answer shed some more light on the matter, that is:
However, each kernel rebuild shall use an ephemeral key, not only a new version update.
Please, provide them as part of updating the application - they will be needed to make sure that certain build dependencies have been used, especially since they may change in the meantime, as Fedora 38 is still being updated. More on this at the very bottom of this comment.
Please, paste them here. You can get them by running the following command:
That's the example for the shim binary. Do so for others that make use of the SBAT mechanism.
I don't know if other reviewers, as well as Microsoft, are willing to accept such process, but I can play around with analyzing the binaries statically. However, as a curiosity, Fedora 38 is still being updated until 05/14/2024 , so if the build dependencies change, the binary might become non-reproducible. If possible, prefer using the releases that don't receive updates anymore. |
I'm not sure how to quote the comment for the comments like you did above, but here are the answers: 1 - Yes, the one you found TeraByte Corporate corp@terabyteunlimited.com is correct, publicly published. 2 - We are moving to a newer GRUB version (that has all fixes in place) and the new shim won't be able to load the old GRUB. So I guess "yes", would be the answer. 3 - It's N/A because we had no bugs in our part of the software being loaded so no need to blacklist it. I presume the SBAT entries (or NX requirement) will handle it (something is already preventing loading on updated systems). Or is it even if SHIM itself needs to be updated, we have to provide old hashes to our builds (I thought that was why SBAT was created - to prevent overloading the database). 4 - We typically only use the new key on updates from say 6.6 to 6.7 but not 6.6.1 to 6.6.2 but we can. 5 - I just figured if you build the binary and it's the same, that's all that is needed. Is there an exact process to pull them out of the docker build (do they exist or do we need to pipe the output somehow). I've seen the updates happen but the binary output is the same. If you tell me exactly what you want I can get it for you. 6 - The shim was provided and figured you would want to look what was in there, but I can post here as well (I extracted this from the .efi): 7 - I don't recall the prior versions doing that, but I noticed the hash was different on each build and I looked in to it, it was the PE header time/date field (plus what looks like a crc of the header). Is there a better fedora number to use, it doesn't matter to me as long as it builds okay. Is Fedora 37 a good one to use? I'll move to that one if that would be better. Thank You. |
I just ran a test using Fedora 37 - the nice thing is the binary hash matches each build - this is because the date/time field is 0, whereas the newer compiler/linker in Fedora 38 actually outputs the date/time (although the binary is slightly smaller too). So this board will have to deal with that at some point. I'll just revert to 37 so that I'm not having to hassle with thing because of being on the bleeding edge. So someone just let me know exactly what log I'm supposed to get and how to get it. I don't see much docker output. If I rebuild it, you see all the installing of fedora items, if I just build where it just recompiles the shim, there is hardly any output. But the binary will match. |
Okay, I updated the issue - New link and hash provided in original message. I also output the the build capture to the same folder the shim is output to. When you run the docker_make_shim it will overwrite the items in terabyte_shim-15.8_built so you may want to save them away if you want to compare them. I also put a copy of the shim .efi in the root of the submissions (basically copied out of terabyte_shim-15.8_built). |
The confirmation email can be sent anytime someone is ready... |
Did you get the updated .zip ? |
Are you guys checking in to the policy for SBAT vs adding to DBX ? Just wondering why the delay, MS said sometimes they are communicating with you guys behind the scenes. |
I managed to scratch the surface and I'm posting the results as of today. I still have some work to do with this application, though. I'll answer as much questions as possible too, but that will take some time.
I copy and paste all the text that I want to reference and format it with Markdown syntax appropriately. Then I paste it as comments
I'll soon send a verification email and post another comment after it's sent. Once received, you'll need to decrypt it and paste the random words, that I'll send, here as a new comment.
Thanks! The build does reproduce now. |
Verification email sent. |
The words are: |
Alright! Just so the question about those patches is confirmed as answered positively.
OK - this answer seems valid and I simply expected it in the application (README.md) rather than "N/A".
If an ephemeral key is used, it shall be used per each build. So the built kernel and its specific modules are bound in a way, so it can't load others that are unrelated (unsigned or signed with an unrelated key). Please, update the appropriate section in README.md and ping me once the change is there - the application seems OK right now, and once that one section is corrected, I'll add the "extra review wanted" label and one more review will be required - another reviewer might be pinged for extra help; may not be in the committee, as you've already had a signed shim binary in the past.
They're all right there - thank you.
If something does happen behind the scenes, it naturally stays behind the scenes. ;-) The delays may be for many reasons, but one of them is that in most cases people volunteer their free time and energy to do the reviews. Usually after long, hard days at work. Right now in my timezone it's 5 AM as I'm writing this comment.
Sorry, which .zip file is it about? |
I was referring to the the new tag link - which you obviously have.
It's updated, new tag: https://github.com/TBOpen/shim-review/releases/tag/TeraByte-Shim15.8-x64-20240310 Thanks. |
Oh, OK. Seems alright now - feel free to ping another reviewer. May or may not be in the committee. |
Thanks, I don't want to bug anyone, I presume it won't take long for the regulars to check it out ... |
@SherifNagy @vden-irm @dennis-tseng99 |
Reviewing === Review for Shim 15.8 for TeraByte #369 ===
What patches are being applied and why:
|
Thanks. grub patch is already mainstream to be in next Debian grub 2.12-2 (and grub 2.12 itself) (except of course the title). shim patch disables fallback, we don't need it or want it, works around compiler warning treated as error issues, and allows providing second stage filename in shim.dat file instead of hard coded or parameter in uefi boot item because that is how we do it. |
Understood. Let's accept it. |
Thanks! |
Completed. |
Updated Feb 23, 2024:
Confirm the following are included in your repo, checking each box:
What is the link to your tag in a repo cloned from rhboot/shim-review?
https://github.com/TBOpen/shim-review/releases/tag/TeraByte-Shim15.8-x64-20240310
What is the SHA256 hash of your final SHIM binary?
02c4bf81a5f359213d80ec365366d8be35b02bf84e522802c5fc8ee8694c8e05 *shimx64.efi
What is the link to your previous shim review request (if any, otherwise N/A)?
https://github.com/TBOpen/shim-review/releases/tag/TeraByte-Shim15.4-x64-20210510
The text was updated successfully, but these errors were encountered: